Secure storage of secret data in a dispersed storage network
First Claim
1. A method comprises:
- for secure storage of a data access key of an originating device;
encrypting, by the originating device, the data access key using secret data to produce an encrypted data access key;
dispersed storage error encoding the encrypted data access key to produce a set of encoded data access key slices;
sending the set of encoded data access key slices to storage nodes of a distributed storage network (DSN) for storage therein;
transforming, by the originating device, the secret data to produce a plurality of secret data shares;
obtaining, by the originating device, unique encryption values of trusted agent modules of the DSN;
encrypting, by the originating device, the plurality of secret data shares using the unique encryption values to produce a plurality of encrypted secret data shares; and
sending, by the originating device, the plurality of encrypted secret data shares to the storage nodes for storage therein; and
for secure retrieval of the data access key;
sending, by the originating device, a secret data retrieval request to the trusted agent modules;
in response to the secret data retrieval request, recovering, by the trusted agent modules, the plurality of encrypted secret data shares from the storage nodes;
decrypting, by the trusted agent modules, the plurality of encrypted secret data shares using a decryption function corresponding to the unique encryption values to recapture the plurality of secret data shares;
sending, by the trusted agent modules, the plurality of secret data shares to the originating device;
recovering, by the originating device, the secret data from the plurality of secret data shares;
retrieving, by the originating device, at least a decode threshold number of encoded data access key slices of the set of encoded data access key slices from at least some of the storage node;
recovering, by the originating device, the encrypted data access key from the at least the decode threshold number of encoded data access key slices; and
decrypting, by the originating device, the encrypted data access key using the recovered secret data to recover the data access key.
5 Assignments
0 Petitions
Accused Products
Abstract
A method for secure storage of secret data begins with an originating device transforming the secret data to produce a plurality of secret data shares and encrypting the plurality of secret data shares using unique encryption values of trusted agent modules of a dispersed storage network (DSN) to produce a plurality of encrypted secret data shares for storage in storage nodes of the DSN. Retrieval of the secret data begins with the originating device sending a secret data retrieval request to the trusted agent modules and recovering, by the trusted agent modules, the plurality of encrypted secret data shares from the storage nodes. The method continues with the trusted agent modules decrypting the plurality of encrypted secret data shares using a decryption function corresponding to the unique encryption values and sending the plurality of secret data shares to the originating device.
103 Citations
18 Claims
-
1. A method comprises:
-
for secure storage of a data access key of an originating device; encrypting, by the originating device, the data access key using secret data to produce an encrypted data access key; dispersed storage error encoding the encrypted data access key to produce a set of encoded data access key slices; sending the set of encoded data access key slices to storage nodes of a distributed storage network (DSN) for storage therein; transforming, by the originating device, the secret data to produce a plurality of secret data shares; obtaining, by the originating device, unique encryption values of trusted agent modules of the DSN; encrypting, by the originating device, the plurality of secret data shares using the unique encryption values to produce a plurality of encrypted secret data shares; and sending, by the originating device, the plurality of encrypted secret data shares to the storage nodes for storage therein; and for secure retrieval of the data access key; sending, by the originating device, a secret data retrieval request to the trusted agent modules; in response to the secret data retrieval request, recovering, by the trusted agent modules, the plurality of encrypted secret data shares from the storage nodes; decrypting, by the trusted agent modules, the plurality of encrypted secret data shares using a decryption function corresponding to the unique encryption values to recapture the plurality of secret data shares; sending, by the trusted agent modules, the plurality of secret data shares to the originating device; recovering, by the originating device, the secret data from the plurality of secret data shares; retrieving, by the originating device, at least a decode threshold number of encoded data access key slices of the set of encoded data access key slices from at least some of the storage node; recovering, by the originating device, the encrypted data access key from the at least the decode threshold number of encoded data access key slices; and decrypting, by the originating device, the encrypted data access key using the recovered secret data to recover the data access key. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A secret data storage facilitating system, wherein the system comprises:
-
an originating device that includes; an interface; memory; and a processing module; and a set of trusted agent modules, wherein a trusted agent module of the set of trusted agent modules includes; an agent interface; an agent memory; and an agent processing module, wherein for secure storage of a data access key of the originating device, the processing module of the originating device is operable to; encrypt a data access key using secret data to produce an encrypted data access key; dispersed storage error encode the encrypted data access key to produce a set of encoded data access key slices; send the set of encoded data access key slices to storage nodes of a distributed storage network (DSN) for storage therein; transform the secret data to produce a plurality of secret data shares; obtain unique encryption values of the set of trusted agent modules; encrypt the plurality of secret data shares using the unique encryption values to produce a plurality of encrypted secret data shares; and send, via the interface, the plurality of encrypted secret data shares to the storage nodes of the DSN for storage therein; and for secure retrieval of the data access key; the processing module of the originating device is operable to send, via the interface, a secret data retrieval request to the set of trusted agent modules; in response to the secret data retrieval request, the agent processing module of the trusted agent module is operable to; recover, via the agent interface, one of the plurality of encrypted secret data shares from one of the storage nodes; decrypt the one of the plurality of encrypted secret data shares using a decryption function corresponding to a unique encryption value of the trusted agent module to recapture the one of the plurality of secret data shares; and send, via the agent interface, the one of the plurality of secret data shares to the originating device; the processing module of the originating device is further operable to; recover the secret data from the plurality of secret data shares; retrieve, via the interface, at least a decode threshold number of encoded data access key slices of the set of encoded data access key slices from at least some of the storage node; recover the encrypted data access key from the at least the decode threshold number of encoded data access key slices; and decrypt the encrypted data access key using the recovered secret data to recover the data access key. - View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
-
Specification